On Wed, Jun 15, 2016 at 7:57 AM, Donald Stufft <don...@stufft.io> wrote: > >> On Jun 15, 2016, at 7:53 AM, Jim Fulton <j...@jimfulton.info> wrote: >> >> If you actually build programs as part of image building, then your >> image contains build tools, leading to image bloat and potentially >> security problems as the development tools provide a greater attack >> surface. > > This isn’t strictly true, the layering in Docker works on a per RUN command > basis, so if you compose a single command that installs the build tools, > builds the thing, installs the thing, and uninstalls the build tools (and > cleans up any cache), then that’s roughly equivalent to installing a single > binary (except of course, in the time it takes).
OK, fair enough. People would typically start from an image that had the build tools installed already. But as you point out, you could have a single step that installed the build tools, built and then uninstalled the build tools. You'd avoid the bloat, but have extremely long build times. Jim -- Jim Fulton http://jimfulton.info _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
